Mondoo
Docs
2026

Mondoo Release Highlights April 2026

·By Tim Smith

Back to releases

Introduction

April was a packed month for Mondoo. We shipped seven brand-new platforms, gave you a way to find shadow AI before it becomes shadow risk, expanded infrastructure as code scanning, and went deeper across cloud, network, and SaaS coverage. Add the latest CIS benchmark updates, a new compliance framework, expanded vulnerability detection, and our largest-ever MQL expansion, and there's a lot to cover. Let's dive in!

Securing Active Directory

Active Directory is the backbone of identity in most enterprises, and it's one of the most heavily targeted systems in any breach. Mondoo now includes a dedicated Active Directory provider and a new Mondoo Active Directory Security policy.

The provider queries Active Directory Domain Services over LDAP and probes SMB to assess the posture of your domain. The policy turns that data into 78 security checks, each mapped to the compliance frameworks Mondoo ships, so you can understand your directory's SOC 2, ISO 27001, and PCI DSS compliance.

The policy covers the attack paths that matter:

  • Stale objects: Inactive users, computers, and domain controllers, plus obsolete operating systems
  • Privileged account hygiene: Domain, Enterprise, and Schema Admins, Protected Users, and adminCount orphans
  • Kerberos security: AS-REP roasting, Kerberoasting, DES encryption, and password age
  • Delegation and trust security: Unconstrained and constrained delegation, RBCD, and domain trust SID filtering
  • ADCS misconfigurations: Certificate escalation paths from ESC1 to ESC13
  • ACL-based attack paths: Dangerous delegations and DCSync rights
  • Domain configuration: LAPS, functional level, machine account quota, and LDAP signing
  • SMB security posture: Signing, encryption, SMBv1, null sessions, and LDAP channel binding

The provider is just as useful for ad hoc investigation. Say you want every Kerberoastable account that also belongs to a privileged group, a prime target for attackers. With the cnquery shell connected to your domain, that's one line of MQL:

MQL
activedirectory.users.where(kerberoastable && isPrivileged) {
  sAMAccountName
  servicePrincipalNames
  passwordAgeDays
}

The answer comes straight back:

Plain Text
activedirectory.users.where: [
  0: {
    sAMAccountName: "svc-sql-admin"
    servicePrincipalNames: [
      0: "MSSQLSvc/sql01.corp.local:1433"
    ]
    passwordAgeDays: 612
  }
]

A privileged service account with a Kerberoastable SPN and a password that hasn't been rotated in over a year and a half is exactly the kind of finding the Active Directory Security policy surfaces and scores for you automatically.

Point Mondoo at a domain controller, and you get a prioritized, attacker-aware view of your Active Directory security posture. To get started, see Assess Active Directory Security with cnspec.

Catch Shadow AI Before It Becomes Shadow Risk

AI coding assistants and agents are spreading across engineering teams faster than security teams can track them. April adds a new AI Security policy with 38 checks and a companion inventory pack, plus roughly 25 new MQL resources for detecting AI agents and tools, including Claude, Codex, Copilot, Gemini CLI, Windsurf, Zed, Cline, Continue, Kiro, Goose, Junie, Augment, Warp, Kilo Code, OpenHands, Qwen Code, Antigravity, IBM Bob, OpenClaw, Snowflake Cortex, Roo, Trae, OpenCode, Pi, and Mistral Vibe.

Now you can discover which AI tools are actually running across your fleet and bring that footprint under the same security visibility as the rest of your environment. And this is just the start. A lot more shadow AI detection is landing in the coming weeks, so stay tuned.

Security for More of Your Cloud

Whether you run a handful of Droplets, a cost-optimized Hetzner project, or a self-hosted Proxmox cluster, Mondoo gives you the same out-of-the-box coverage you get on the hyperscalers. April adds three new cloud platforms, each with its own security policy:

  • DigitalOcean: A new provider and a DigitalOcean Security policy with 20 checks across Droplets, Cloud Firewalls, Managed Databases, Load Balancers, Kubernetes (DOKS), TLS certificates, Spaces object storage, the CDN, and App Platform. It hardens against unauthorized access, data exposure, weak cryptography, and end-of-life software.
  • Hetzner Cloud: A new provider, bundled directly into cnspec, and a Hetzner Cloud Security policy with 12 checks across cloud servers, firewalls, load balancers, TLS certificates, and IP addresses, focused on network segmentation, encryption in transit, and CVE exposure.
  • Proxmox VE: A new provider and a Proxmox VE Security policy with 46 checks for the self-hosted hypervisor, covering access control and two-factor authentication, the Proxmox firewall, LXC container and QEMU/KVM VM isolation, Spectre and Meltdown mitigations, cluster and live-migration encryption, backup encryption, and ANSSI-BP-028 kernel hardening.

Secure Your Infrastructure as Code

Catching misconfigurations before they reach production keeps getting easier. Mondoo now scans three more infrastructure as code formats, evaluating the same security policies against your IaC that you run against live infrastructure:

  • Azure Bicep: Scan Bicep templates against your Azure security policies before you deploy.
  • Helm: Scan packaged or unpacked Helm charts for Kubernetes misconfigurations.
  • Kustomize: Scan a Kustomize overlay before it's applied to a cluster.

Each one is a single command:

Bash
cnspec scan bicep main.bicep
cnspec scan helm ./my-chart
cnspec scan kustomize ./overlays/production

The bundled policies are just the start. Each format exposes its templates as queryable MQL resources, so you can inspect exactly what you care about and enforce your own standards in pull requests and CI. Bicep gives you resources, parameters, modules, and compiled ARM templates. Helm gives you chart metadata, dependencies, maintainers, and the rendered Kubernetes resources. Kustomize gives you patches, generators, image overrides, and the rendered build output.

Confirm every Bicep storage account enforces HTTPS:

MQL
bicep.files {
  resources.where(type == "Microsoft.Storage/storageAccounts").all(
    properties["properties"]["supportsHttpsTrafficOnly"] == true
  )
}

Make sure no container in a Helm chart runs as root:

MQL
helm.charts {
  resources.where(kind == "Deployment").all(
    manifest["spec"]["template"]["spec"]["securityContext"]["runAsNonRoot"] == true
  )
}

Catch Kustomize image overrides that pin a mutable tag instead of an immutable digest:

MQL
kustomize.kustomizations {
  images.where(digest == "" && (newTag == "latest" || newTag == ""))
}

Expanded Network Security

Mondoo's network device coverage grew again this month with new out-of-the-box policies and deeper resource support.

New network security policies

Four new policies harden the network devices your infrastructure depends on. They check for secure administrative access, strong authentication and AAA integration, hardened SSH and SNMP, proper logging and NTP time synchronization, security banners, and routing protocol authentication:

  • FortiOS Security (33 checks)
  • Cisco IOS XE Security (36 checks)
  • Cisco NX-OS Security (31 checks)
  • Cisco IOS XR Security (27 checks)

Deeper network scanning

  • Arista EOS: New resources for AAA, SSH, SNMP, telnet, password, NTP, and port security give you deeper visibility into Arista device hardening.
  • Ubiquiti UniFi: 9 new security checks expand coverage of UniFi infrastructure.
  • PAN-OS: 4 new security checks add to Mondoo's Palo Alto coverage.

Expanded Cloud Coverage

Cloud security got deeper across the board this month, in three ways. Fine-grained discovery now detects more of your cloud resources as individual assets, so findings, scores, exceptions, and tickets land on the specific resource that needs attention instead of the whole account. Expanded out-of-the-box policies add hundreds of new security checks, so more of your environment is evaluated the moment you connect it. And new MQL resources bring April's newly supported services into reach, so you can write your own checks against everything Mondoo now sees. Here is how that played out across each cloud.

AWS

Fine-grained discovery now surfaces Neptune, EMR, and DocumentDB clusters as individual assets. AWS led the month's MQL expansion with 313 new resources and 627 new fields, reaching Identity Center applications, WorkSpaces Web, CloudFront trust stores, EventBridge Scheduler and Pipes, and Transfer Family connectors and workflows. Onboarding got easier too, with organization-level integration creation for the AWS serverless integration. The Mondoo AWS Security policy added 69 new checks.

GCP

AlloyDB clusters and Spanner, Firestore, and Bigtable instances are now scanned as individual assets. 116 new MQL resources and 141 new fields cover Memorystore, Datastream, Memcached, Cloud SQL backups, and BigQuery connections and reservations. The Mondoo GCP Security policy added 57 new checks.

Azure

Fine-grained discovery now detects container registries, Recovery Services vaults, Synapse workspaces, and Data Factory instances as individual assets. A 14-service security-scanning expansion and updated Azure SDKs add 87 new MQL resources and 130 new fields, including hosts, image galleries, managed disk snapshots, and virtual machine scale sets. The Mondoo Azure Security policy added 40 new checks.

OCI

Network security lists, IAM users, IAM policies, and Object Storage buckets are now scanned as individual assets. 72 new MQL resources and 43 new fields expand coverage to flow logs, database backups, API Gateway, Certificates, and Cloud Guard security zones. The Mondoo OCI Security policy nearly tripled, adding 40 new checks.

Cloudflare

34 new MQL resources and 47 new fields expand Cloudflare coverage with DNSSEC, HSTS, R2 bucket ACLs, WAF, email routing, and SSO. The Mondoo Cloudflare Security policy added 9 new checks.

SaaS Platform Expansion

SaaS platforms gained substantial new coverage this month:

  • GitHub: SAML, IP allow lists, codeowners, deploy keys, and audit log streaming
  • GitLab: Audit log, SSO links, key age, and full webhook event coverage
  • Atlassian: Jira permissions and audit, plus Confluence space and page permissions
  • Snowflake: Grants, ACCOUNTADMIN tracking, session policy, shares, and integrations
  • Okta: User factors, authenticators, API tokens, and app signing keys
  • Tailscale: ACL policy, tailnet settings, and device routes
  • Shodan: TLS and certificate data, service banners, CVSS scoring, and host classification

Updated CIS Benchmarks

Keep your systems aligned with the latest CIS guidance. Each new benchmark version reflects the latest technologies and attack methods, so staying current keeps your infrastructure hardened against the threats that matter today. April brought six benchmarks up to their newest versions:

  • CIS Microsoft Azure Foundations Benchmark updated to v6.0.0
  • CIS Kubernetes Benchmark updated to v2.0.0
  • CIS Amazon Linux 2 Benchmark updated to v4.0.0
  • CIS Google Workspace Foundations Benchmark updated to v1.3.0
  • CIS VMware ESXi 8.0 Benchmark updated to v1.3.0
  • CIS IBM AIX 7 Benchmark updated to v1.2.0

New Compliance Frameworks and Mappings

Mondoo now ships the IKT-Minimalstandard 2023 compliance framework, giving teams in scope a ready-to-use mapping for this standard with no manual cross-referencing.

April also expanded the compliance mappings for Mondoo's authored policies, adding mapping support for five new frameworks: the CSA Cloud Controls Matrix v4, DORA, HIPAA, PCI DSS v4, and VDA ISA 5. With more than 300 controls now mapped, you can adopt any of these frameworks and see exactly how every finding from a Mondoo policy maps to the controls you're measured against.

Vulnerability Detection Improvements

April significantly expanded the desktop and developer software Mondoo scans for known vulnerabilities. New application detection now covers:

  • Cisco AnyConnect and Secure Client: Vulnerability detection for the Cisco VPN client across Windows, macOS, and Linux, spanning both the legacy AnyConnect Secure Mobility Client and the rebranded Cisco Secure Client.
  • BeyondTrust: Detection for BeyondTrust Remote Support, Privileged Remote Access, and Privilege Management.
  • Visual Studio: Detection for Visual Studio 2017, 2019, and 2022 across the Community, Professional, Enterprise, and Build Tools editions.
  • Eclipse IDE: Detection across Windows, macOS, and Linux.
  • Postman: Detection across Windows, macOS, and Linux.
  • Azure CLI: Detection for the Microsoft Azure CLI on Windows and Linux.

Mondoo also broadened its existing IDE coverage, adding Linux package detection for the JetBrains family (IntelliJ IDEA, PyCharm, and more) and Visual Studio Code. And it added Fedora 44 to its vulnerability sources, plus a new space setting to exclude release-candidate packages from vulnerability scanning.

April also delivered broad reliability improvements to Windows CVE detection, refining how Mondoo accounts for installed hotfixes, Microsoft advisory data, and registry-reported software so vulnerability findings more faithfully reflect each system's true patch state.

Keyless Cloud Integrations with Workload Identity Federation

Long-lived access keys are a standing liability. They leak, they linger, and they rarely get rotated. April makes workload identity federation (WIF) generally available across Mondoo's cloud integrations, so you can connect your clouds without handing over static credentials.

With WIF, Mondoo authenticates using short-lived, federated tokens instead of stored keys. It is now available for AWS serverless scanning and for Google Cloud, BigQuery, and Cloud Storage integrations. Connecting a new cloud environment is faster and safer, with nothing to generate, store, or rotate.

And There's Even More

That is still not everything April shipped. We don't have room to go deep on all of it, but two things deserve a mention before you go.

Three more platforms joined Mondoo this month:

  • Datadog: A new provider for scanning Datadog, covering users, roles, service accounts, API and application keys, security rules, filters, and suppressions, monitors, dashboards, and synthetic tests, so you can audit the security posture of your observability platform.
  • Grafana: A new provider for scanning Grafana, paired with a new Grafana Security policy with 11 checks.
  • vLLM: A new provider for scanning vLLM inference servers, paired with a new vLLM Security policy with 14 checks covering API authentication, transport and browser exposure, information disclosure, and exposed development and debug routes.

And underneath every feature in this release is the largest MQL expansion in Mondoo's history: 951 new resources and 1,211 new fields in a single month. Every one is a new security question you can ask, a misconfiguration you can catch, or a compliance gap you can close. Whatever you need to inspect, the data is there.

Release Highlights

Previous Page

Executive Reports Preview

Next Page

On this page

IntroductionSecuring Active DirectoryCatch Shadow AI Before It Becomes Shadow RiskSecurity for More of Your CloudSecure Your Infrastructure as CodeExpanded Network SecurityNew network security policiesDeeper network scanningExpanded Cloud CoverageAWSGCPAzureOCICloudflareSaaS Platform ExpansionUpdated CIS BenchmarksNew Compliance Frameworks and MappingsVulnerability Detection ImprovementsKeyless Cloud Integrations with Workload Identity FederationAnd There's Even More